Closed Bug 463893 Opened 16 years ago Closed 1 year ago

always load remote images should not be based on sender's email address - use smtp server from which the message originates or on the server serving the images

Categories

(Thunderbird :: Message Reader UI, enhancement)

Product:
Thunderbird
Component:
Message Reader UI
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: reto, Unassigned)

Details

(Keywords: privacy) 

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080926 Firefox/2.0.0.17
Build Identifier: 

Thunderbird by default blocks remote images and provides a link saying

"Click here to always load remote images from
foo@example.org"

As the from address say nothing about the origini of the mail the unblocking should be based either on the smtp server from which the message originates or on the server serving the images.

Rationale: as it is usually quite easy to guess the bulk-mailing services one is subscribed to, if the user used this option to enable images in the mails from a certain sender (e.g. ebay, twine) and attacker can simply send an email with the from-address of a (probably) subscribed service to break the user's privacy.

Reproducible: Always

Steps to Reproduce:
1. get an email containing remote images
2. click on the "always load" link
3. get an email from an attacker setting thta service address as from-sddress
I have a variation on this idea (using TB 2.0.0.21):
In order to allow the automatic loading of issues, I am directed to add a contact.  The particular problem I have is that, for one newsletter to which I subscribe, part of the senders address is always different - 'news dot <variable character string> at domain name'.
How can I allow Thunderbird to match the '<variable character string>' with the wildcard character '*', or similar, so that I can say '... always load remote images from 'news dot asterisk at domain name' - rather than have loads of contact entries for the one newsletter?
I agree that Thunderbird should make it easy to always load the images in a newsletter. Your suggestion however is based on the sender address with poses the problem this issue should address.

In the example of the newsletter you use: if an attacker wants to find out if you subscribed to a particular newsletter they can simply send you an email with one of the newsletters-from addresses containing a reference to an image on a server under control of the attacker. If that image gets requested on the server, this is an evidence that you subscribed to this newsletter.
Keywords: privacy
Component: General → Message Reader UI
QA Contact: general → message-reader
Severity: normal → enhancement
Version: unspecified → Trunk
This is actually a security issue and should probably be getting a bit more attention. The spammers are not stupid, and they already phish with common services' From addresses.
Severity: normal → S3

We support "on the server serving the images", so changing this to WFM

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME
Summary: always load remote images should not be based on sender's email address → always load remote images should not be based on sender's email address - use smtp server from which the message originates or on the server serving the images
You need to log in before you can comment on or make changes to this bug.